From d5b65fb55730d5cb4f11f52c2a4e05c312cd3896 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 14 May 2024 11:52:37 +0200 Subject: [PATCH] ssl: Enhance alert handling Make it easier to distinguish between a invalid signature and unsupported signature Closes #8466 --- lib/ssl/src/ssl_certificate.erl | 14 +++++++------- lib/ssl/src/ssl_handshake.erl | 2 ++ lib/ssl/test/ssl_cert_SUITE.erl | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl index 09705b949792..527a9d37f492 100644 --- a/lib/ssl/src/ssl_certificate.erl +++ b/lib/ssl/src/ssl_certificate.erl @@ -222,7 +222,7 @@ validate(Issuer, {bad_cert, cert_expired}, #{issuer := Issuer}) -> validate(_, {bad_cert, _} = Reason, _) -> {fail, Reason}; validate(Cert, valid, #{path_len := N} = UserState) -> - case verify_sign(Cert, UserState) of + case verify_sign_support(Cert, UserState) of true -> case maps:get(cert_ext, UserState, undefined) of undefined -> @@ -231,7 +231,7 @@ validate(Cert, valid, #{path_len := N} = UserState) -> verify_cert_extensions(Cert, UserState#{path_len => N-1}) end; false -> - {fail, {bad_cert, invalid_signature}} + {fail, {bad_cert, unsupported_signature}} end; validate(Cert, valid_peer, UserState = #{role := client, server_name := Hostname, customize_hostname_check := Customize}) when Hostname =/= disable -> @@ -592,22 +592,22 @@ verify_cert_extensions(Cert, UserState, [_|Exts], Context) -> %% Skip unknown extensions! verify_cert_extensions(Cert, UserState, Exts, Context). -verify_sign(_, #{version := Version}) +verify_sign_support(_, #{version := Version}) when ?TLS_LT(Version, ?TLS_1_2) -> %% This verification is not applicable pre TLS-1.2 true; -verify_sign(Cert, #{version := ?TLS_1_2, +verify_sign_support(Cert, #{version := ?TLS_1_2, signature_algs := SignAlgs, signature_algs_cert := undefined}) -> is_supported_signature_algorithm_1_2(Cert, SignAlgs); -verify_sign(Cert, #{version := ?TLS_1_2, +verify_sign_support(Cert, #{version := ?TLS_1_2, signature_algs_cert := SignAlgs}) -> is_supported_signature_algorithm_1_2(Cert, SignAlgs); -verify_sign(Cert, #{version := ?TLS_1_3, +verify_sign_support(Cert, #{version := ?TLS_1_3, signature_algs := SignAlgs, signature_algs_cert := undefined}) -> is_supported_signature_algorithm_1_3(Cert, SignAlgs); -verify_sign(Cert, #{version := ?TLS_1_3, +verify_sign_support(Cert, #{version := ?TLS_1_3, signature_algs_cert := SignAlgs}) -> is_supported_signature_algorithm_1_3(Cert, SignAlgs). diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl index 7dd60829a12e..09341905e956 100644 --- a/lib/ssl/src/ssl_handshake.erl +++ b/lib/ssl/src/ssl_handshake.erl @@ -2111,6 +2111,8 @@ path_validation_alert({bad_cert, invalid_issuer}) -> ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE); path_validation_alert({bad_cert, invalid_signature}) -> ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE); +path_validation_alert({bad_cert, unsupported_signature}) -> + ?ALERT_REC(?FATAL, ?UNSUPPORTED_CERTIFICATE); path_validation_alert({bad_cert, name_not_permitted}) -> ?ALERT_REC(?FATAL, ?BAD_CERTIFICATE); path_validation_alert({bad_cert, unknown_critical_extension}) -> diff --git a/lib/ssl/test/ssl_cert_SUITE.erl b/lib/ssl/test/ssl_cert_SUITE.erl index ef9e2cf75933..18fbddf83cb8 100644 --- a/lib/ssl/test/ssl_cert_SUITE.erl +++ b/lib/ssl/test/ssl_cert_SUITE.erl @@ -1216,7 +1216,7 @@ unsupported_sign_algo_cert_client_auth(Config) -> 'tlsv1.3' -> ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, certificate_required); _ -> - ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, bad_certificate) + ssl_test_lib:basic_alert(ClientOpts, ServerOpts, Config, unsupported_certificate) end. %%--------------------------------------------------------------------